Update and add index

terminal/linuxcontainers

@@ -1,4 +1,4 @@
-                                                                                   Awesome Linux Containers
+                                                                                                          Awesome Linux Containers
 
 !#StandWithBelarus (https://img.shields.io/badge/Belarus-red?label=%23%20Stand%20With&labelColor=white&color=red)
  (https://bysol.org/en/) !Stand With Ukraine (https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/badges/StandWithUkraine.svg) (https://vshymanskyy.github.io/StandWithUkraine)
@@ -28,26 +28,23 @@
 
 About the Author
 
-Hello, everyone! My name is Filipp, and I have been working with high load distribution systems and services, security, monitoring, continuous deployment and release management (DevOps 
-domain) since 2012.
+Hello, everyone! My name is Filipp, and I have been working with high load distribution systems and services, security, monitoring, continuous deployment and release management (DevOps domain) since 2012.
 
-One of my passions is developing DevOps solutions and contributing to the open-source community. By sharing my knowledge and experiences, I strive to save time for both myself and others 
-while fostering a culture of collaboration and learning.
+One of my passions is developing DevOps solutions and contributing to the open-source community. By sharing my knowledge and experiences, I strive to save time for both myself and others while fostering a culture of collaboration and 
+learning.
 
-I had to leave my home country, Belarus, due to my participation in protests against the oppressive regime of dictator Lukashenko 
-(https://en.wikipedia.org/wiki/2020%E2%80%932021_Belarusian_protests), who maintains a close affiliation with Putin. Since then, I'm trying to build my life from zero in other countries.
+I had to leave my home country, Belarus, due to my participation in protests against the oppressive regime of dictator Lukashenko (https://en.wikipedia.org/wiki/2020%E2%80%932021_Belarusian_protests), who maintains a close affiliation 
+with Putin. Since then, I'm trying to build my life from zero in other countries.
 
-If you are seeking a skilled DevOps lead or architect to enhance your project, I invite you to connect with me on LinkedIn (https://www.linkedin.com/in/filipp-frizzy-289a0360/) or explore my 
-valuable contributions on GitHub (https://github.com/Friz-zy/). Let's collaborate and create some cool solutions together :)
+If you are seeking a skilled DevOps lead or architect to enhance your project, I invite you to connect with me on LinkedIn (https://www.linkedin.com/in/filipp-frizzy-289a0360/) or explore my valuable contributions on GitHub 
+(https://github.com/Friz-zy/). Let's collaborate and create some cool solutions together :)
 
 Foundations
 
 ⟡ OPEN CONTAINER INITIATIVE (https://www.opencontainers.org/)  
-The Open Container Initiative is a lightweight, open governance structure, to be formed under the auspices of the Linux Foundation, for the express purpose of creating open industry standards
-around container formats and runtime.
+The Open Container Initiative is a lightweight, open governance structure, to be formed under the auspices of the Linux Foundation, for the express purpose of creating open industry standards around container formats and runtime.
 ⟡ Cloud Native Computing Foundation (https://cncf.io/)  
-The Cloud Native Computing Foundation will create and drive the adoption of a new set of common container technologies informed by technical merit and end user value, and inspired by 
-Internet-scale computing.
+The Cloud Native Computing Foundation will create and drive the adoption of a new set of common container technologies informed by technical merit and end user value, and inspired by Internet-scale computing.
 ⟡ Cloud Foundry Foundation (https://www.cloudfoundry.org/foundation/)  
 The Cloud is our foundry.
 
@@ -58,11 +55,11 @@
 ⟡ App Container basics (https://github.com/coreos/rkt/blob/master/Documentation/app-container.md)  
 App Container (appc) is an open specification that defines several aspects of how to run applications in containers: an image format, runtime environment, and discovery protocol.
 ⟡ Systemd Container Interface (https://wiki.freedesktop.org/www/Software/systemd/ContainerInterface/)  
-Systemd is a suite of basic building blocks for a Linux system. It provides a system and service manager that runs as PID 1 and starts the rest of the system. If you write a container 
-solution, please consider supporting the following interfaces.
+Systemd is a suite of basic building blocks for a Linux system. It provides a system and service manager that runs as PID 1 and starts the rest of the system. If you write a container solution, please consider supporting the following 
+interfaces.
 ⟡ Nulecule Specification (https://github.com/projectatomic/atomicapp/tree/master/docs/spec)  
-Nulecule defines a pattern and model for packaging complex multi-container applications and services, referencing all their dependencies, including orchestration metadata in a container image
-for building, deploying, monitoring, and active management.
+Nulecule defines a pattern and model for packaging complex multi-container applications and services, referencing all their dependencies, including orchestration metadata in a container image for building, deploying, monitoring, and 
+active management.
 ⟡ Oracle microcontainer manifesto (https://blogs.oracle.com/developers/the-microcontainer-manifesto)  
 This is not a new container format, but simply a specific method for constructing a container that allows for better security and stability.
 ⟡ Cloud Native Application Bundle Specification (https://github.com/deislabs/cnab-spec)  
@@ -73,8 +70,7 @@
 ⟡ Amazon EC2 Container Service  (https://aws.amazon.com/ecs/)   
 Container management service that supports Docker containers and allows you to easily run applications on a managed cluster of Amazon EC2 instances.
 ⟡ Google Cloud Platform (https://cloud.google.com/container-engine/)  
-Run Docker containers on Google Cloud Platform, powered by Kubernetes. Google Container Engine actively schedules your containers, based on declared needs, on a managed cluster of virtual 
-machines. 
+Run Docker containers on Google Cloud Platform, powered by Kubernetes. Google Container Engine actively schedules your containers, based on declared needs, on a managed cluster of virtual machines. 
 ⟡ Jelastic (http://jelastic.com/)  
 Unlimited PaaS and Container-Based IaaS in a Joint Cloud Solution for DevOps.
 ⟡ Joyent (https://www.joyent.com/)  
@@ -82,19 +78,18 @@
 ⟡ Kubernetes (http://kubernetes.io/)  
 Manage a cluster of Linux containers as a single system to accelerate Dev and simplify Ops.
 ⟡ Mesosphere (https://mesosphere.com/)  
-The Mesosphere Datacenter Operating System (DCOS) is a new kind of operating system that spans all of the machines in your datacenter or cloud. It provides a highly elastic, and highly 
-scalable way of deploying applications, services and big data infrastructure on shared resources.
+The Mesosphere Datacenter Operating System (DCOS) is a new kind of operating system that spans all of the machines in your datacenter or cloud. It provides a highly elastic, and highly scalable way of deploying applications, services 
+and big data infrastructure on shared resources.
 ⟡ OpenShift Origin (https://www.openshift.org/)  
-OpenShift Origin is a distribution of Kubernetes (http://kubernetes.io/) optimized for continuous application development and multi-tenant deployment. Origin adds developer and 
-operations-centric tools on top of Kubernetes to enable rapid application development, easy deployment and scaling, and long-term lifecycle maintenance for small and large teams.
+OpenShift Origin is a distribution of Kubernetes (http://kubernetes.io/) optimized for continuous application development and multi-tenant deployment. Origin adds developer and operations-centric tools on top of Kubernetes to enable 
+rapid application development, easy deployment and scaling, and long-term lifecycle maintenance for small and large teams.
 ⟡ Warden (https://github.com/cloudfoundry/warden)  
 Manages isolated, ephemeral, and resource controlled environments. Part of Cloud Foundry - the open platform as a service project.
 ⟡ Virtuozzo (https://virtuozzo.com)  
-A platform, built on Virtuozzo containers, that can be easily run on top of any bare-metal or virtual servers in any public or private cloud, to automate, optimize, and accelerate internal IT
-and development processes.
+A platform, built on Virtuozzo containers, that can be easily run on top of any bare-metal or virtual servers in any public or private cloud, to automate, optimize, and accelerate internal IT and development processes.
 ⟡ Rancher (http://rancher.com/)  
-Rancher is a complete, open source platform for deploying and managing containers in production. It includes commercially-supported distributions of Kubernetes, Mesos, and Docker Swarm, 
-making it easy to run containerized applications on any infrastructure.
+Rancher is a complete, open source platform for deploying and managing containers in production. It includes commercially-supported distributions of Kubernetes, Mesos, and Docker Swarm, making it easy to run containerized applications 
+on any infrastructure.
 ⟡ Docker Swarm (https://docs.docker.com/engine/swarm/)  
 Docker Swarm is native clustering for Docker.
 ⟡ Azure Container Service (https://azure.microsoft.com/en-us/services/container-service/)  
@@ -102,11 +97,10 @@
 ⟡ CIAO (https://ciao-project.github.io/)  
  Cloud Integrated Advanced Orchestrator for Intel Clear Linux OS. 
 ⟡ Alibaba Cloud Container Service (https://www.alibabacloud.com/fr/product/container-service)  
-Container Service is a high-performance and scalable container application management service that enables you to use Docker and Kubernetes to manage the lifecycle of containerized 
-applications.
+Container Service is a high-performance and scalable container application management service that enables you to use Docker and Kubernetes to manage the lifecycle of containerized applications.
 ⟡ Nomad (https://www.nomadproject.io/)  
- HashiCorp Nomad is a single binary that schedules applications and services on Linux, Windows, and Mac. It is an open source scheduler that uses a declarative job file for scheduling 
-virtualized, containerized, and standalone applications.
+ HashiCorp Nomad is a single binary that schedules applications and services on Linux, Windows, and Mac. It is an open source scheduler that uses a declarative job file for scheduling virtualized, containerized, and standalone 
+applications.
 
 Operating Systems
 
@@ -121,8 +115,7 @@
 ⟡ ResinOS (https://resinos.io/)  
 A host OS tailored for containers, designed for reliability, proven in production.
 ⟡ Photon (https://github.com/vmware/photon)  
-Photon OS is a minimal Linux container host designed to have a small footprint and tuned for VMware platforms. Photon is intended to invite collaboration around running containerized and 
-Linux applications in a virtualized environment.
+Photon OS is a minimal Linux container host designed to have a small footprint and tuned for VMware platforms. Photon is intended to invite collaboration around running containerized and Linux applications in a virtualized environment.
 ⟡ Clear Linux Project (https://clearlinux.org)  
 The Clear Linux Project for Intel Architecture is a distribution built for various Cloud use cases.
 ⟡ CargOS (https://cargos.io/)  
@@ -132,8 +125,7 @@
 ⟡ HypriotOS (http://blog.hypriot.com/about/)  
 Minimal Debian-based operating systems that is optimized to run Docker. It made it dead easy use Docker on any Raspberry Pi. 
 ⟡ MCL (https://mcl.host)  
-MCL (Minimal Container Linux) is a from scratch minimal Linux OS designed specifically to run containers. It has a small footprint of ~50MB and boots within seconds. It is currently optimized
-to run Docker.
+MCL (Minimal Container Linux) is a from scratch minimal Linux OS designed specifically to run containers. It has a small footprint of ~50MB and boots within seconds. It is currently optimized to run Docker.
 
 Hypervisors
 
@@ -142,8 +134,8 @@
 ⟡ LXD (https://github.com/lxc/lxd)  
 Daemon based on liblxc offering a REST API to manage LXC containers.
 ⟡ OpenVZ (https://openvz.org/)  
-OpenVZ is container-based virtualization for Linux. OpenVZ creates multiple secure, isolated Linux containers (otherwise known as VEs or VPSs) on a single physical server enabling better 
-server utilization and ensuring that applications do not conflict.
+OpenVZ is container-based virtualization for Linux. OpenVZ creates multiple secure, isolated Linux containers (otherwise known as VEs or VPSs) on a single physical server enabling better server utilization and ensuring that applications
+do not conflict.
 ⟡ MultiDocker (https://github.com/marty90/multidocker)  
 Create a secure multi-user Docker machine, where each user is segregated into an indepentent container.
 ⟡ Lithos (https://github.com/tailhook/lithos/)  
@@ -160,8 +152,7 @@
 ⟡ Rocket (https://github.com/coreos/rkt)  
 rkt (pronounced "rock-it") is a CLI for running app containers on Linux. rkt is designed to be composable, secure, and fast. Based on AppC specification.
 ⟡ LXC (https://github.com/lxc/lxc)  
-LXC is the well known set of tools, templates, library and language bindings. It's pretty low level, very flexible and covers just about every containment feature supported by the upstream 
-kernel.
+LXC is the well known set of tools, templates, library and language bindings. It's pretty low level, very flexible and covers just about every containment feature supported by the upstream kernel.
 ⟡ Vagga (https://github.com/tailhook/vagga)  
 Vagga is a fully-userspace container engine inspired by Vagrant and Docker, specialized for development environments.
 ⟡ libct (https://github.com/xemul/libct)  
@@ -179,8 +170,8 @@
 ⟡ cc-oci-runtime (https://github.com/01org/cc-oci-runtime)  
 Intel Clear Linux OCI (Open Containers Initiative) compatible runtime.
 ⟡ railcar (https://github.com/oracle/railcar)  
-Railcar is a rust implementation of the opencontainers initiative's runtime spec. It is similar to the reference implementation runc, but it is implemented completely in rust for memory 
-safety without needing the overhead of a garbage collector or multiple threads.
+Railcar is a rust implementation of the opencontainers initiative's runtime spec. It is similar to the reference implementation runc, but it is implemented completely in rust for memory safety without needing the overhead of a garbage 
+collector or multiple threads.
 ⟡ Kata Containers (https://katacontainers.io/)  
 Kata Containers is a new open source project building extremely lightweight virtual machines that seamlessly plug into the containers ecosystem.
 ⟡ plash (https://github.com/ihucos/plash/)  
@@ -190,8 +181,7 @@
 ⟡ podman (https://github.com/containers/libpod)  
 Full management of container lifecycle.
 ⟡ firecracker (https://github.com/firecracker-microvm/firecracker)  
-Firecracker runs workloads in lightweight virtual machines, called microVMs, which combine the security and isolation properties provided by hardware virtualization technology with the speed 
-and flexibility of containers.
+Firecracker runs workloads in lightweight virtual machines, called microVMs, which combine the security and isolation properties provided by hardware virtualization technology with the speed and flexibility of containers.
 ⟡ sysbox (https://github.com/nestybox/sysbox)  
 Sysbox is a "runc" that creates secure (rootless) containers / pods that run not just microservices, but most workloads that run in VMs (e.g., systemd, Docker, and Kubernetes), seamlessly.
 ⟡ youki (https://github.com/containers/youki)  
@@ -202,15 +192,13 @@
 Sandboxes
 
 ⟡ Firejail (https://l3net.wordpress.com/projects/firejail/)  
-Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux 
-capabilities.
+Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities.
 ⟡ NsJail (https://github.com/google/nsjail)  
 NsJail is a process isolation tool for Linux. It makes use of the namespacing, resource control, and seccomp-bpf syscall filter subsystems of the Linux kernel.
 ⟡ Subuser (https://github.com/subuser-security/subuser)  
 Securing the Linux desktop with Docker.
 ⟡ Snappy (https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement)  
-Snappy Ubuntu Core is a new rendition of Ubuntu with transactional updates - a minimal server image with the same libraries as today’s Ubuntu, but applications are provided through a simpler 
-mechanism.
+Snappy Ubuntu Core is a new rendition of Ubuntu with transactional updates - a minimal server image with the same libraries as today’s Ubuntu, but applications are provided through a simpler mechanism.
 ⟡ xdg-app (https://wiki.gnome.org/Projects/SandboxedApps)  
 xdg-app is a system for building, distributing and running sandboxed desktop applications on Linux.
 ⟡ Bubblewrap (https://github.com/projectatomic/bubblewrap)  
@@ -235,8 +223,8 @@
 ⟡ pyspaces (https://github.com/Friz-zy/pyspaces)  
 Works with Linux namespaces through glibc with pure python.
 ⟡ CRIU (https://criu.org/Main_Page)  
-Checkpoint/Restore In Userspace is a software tool for Linux operating system. Using this tool, you can freeze a running application (or part of it) and checkpoint it to a hard drive as a 
-collection of files. CRIU integrated with Docker and LXC to implement Live migration of containers.
+Checkpoint/Restore In Userspace is a software tool for Linux operating system. Using this tool, you can freeze a running application (or part of it) and checkpoint it to a hard drive as a collection of files. CRIU integrated with Docker
+and LXC to implement Live migration of containers.
 ⟡ Moby (https://github.com/moby/moby)  
 A "Lego set" of toolkit components for containers software created by Docker.
 
@@ -305,8 +293,8 @@
 ⟡ sockguard (https://github.com/buildkite/sockguard)  
 A proxy for docker.sock that enforces access control and isolated privileges.
 ⟡ gvisor (https://github.com/google/gvisor)  
-gVisor is a user-space kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an Open Container Initiative (OCI) runtime called runsc that 
-provides an isolation boundary between the application and the host kernel. The runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.
+gVisor is a user-space kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an Open Container Initiative (OCI) runtime called runsc that provides an isolation boundary between the 
+application and the host kernel. The runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.
 ⟡ docker-explorer (https://github.com/google/docker-explorer/)  
 A tool to help forensicate offline docker acquisitions.
 ⟡ oci-seccomp-bpf-hook (https://github.com/containers/oci-seccomp-bpf-hook)  
@@ -341,19 +329,17 @@
 ⟡ always untrusted -> know it
 ⟡ suid bit -> mount with nosuid
 ⟡ limit available syscall -> seccomp-bpf, grsec
-⟡ leak to another container (bug in namespaces, filesystem) -> user namespaces with different uid inside for each container: 1000 in container - 14293 and 15398 outside; security modules like
-selinux or apparmor
+⟡ leak to another container (bug in namespaces, filesystem) -> user namespaces with different uid inside for each container: 1000 in container - 14293 and 15398 outside; security modules like selinux or apparmor
 
 2) system services like cron, ssh
 
 ⟡ run as root -> isolate via bastion host or vm
 ⟡ using /dev -> "devices" control group  
 The following device nodes are created in the container by default.  
-The Docker images are also mounted with nodev, which means that even if a device node was pre-created in the image, it could not be used by processes within the container to talk to the 
-kernel.  
+The Docker images are also mounted with nodev, which means that even if a device node was pre-created in the image, it could not be used by processes within the container to talk to the kernel.  
 /dev/console,/dev/null,/dev/zero,/dev/full,/dev/tty,/dev/urandom,/dev/random,/dev/fuse
 ⟡ root calls -> capabilities (cap_sys_admin warning!)  
-Here is the current list of capabilities that Docker uses: chown, dac_override, fowner, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, setfcap, and audit_write.
+Here is the current list of capabilities that Docker uses: chown, dac_override, fowner, kill, setgid, setuid, setpcap, net_bind_service, net_raw, sys_chroot, mknod, setfcap, and audit_write.  
 Docker removes several of these capabilities including the following:  
 CAP_SETPCAP 	Modify process capabilities  
 CAP_SYS_MODULE 	Insert/Remove kernel modules   
@@ -378,9 +364,8 @@
 . /proc/irq  
 . /proc/bus  
 Copy-on-write file systems  
-Docker uses copy-on-write file systems. This means containers can use the same file system image as the base for the container. When a container writes content to the image, it gets written 
-to a container specific file system. This prevents one container from seeing the changes of another container even if they wrote to the same file system image. Just as important, one 
-container can not change the image content to effect the processes in another container.
+Docker uses copy-on-write file systems. This means containers can use the same file system image as the base for the container. When a container writes content to the image, it gets written to a container specific file system. This 
+prevents one container from seeing the changes of another container even if they wrote to the same file system image. Just as important, one container can not change the image content to effect the processes in another container.
 ⟡ uid 0 -> user namespaces, uid 0 mappet to random uid outside
 
 3) system services like devices, network, filesystems
@@ -430,8 +415,7 @@
 Another Information Sources
 
 ⟡ sysdig-container-ecosystem (https://github.com/draios/sysdig-container-ecosystem)  
-The ecosystem of awesome new technologies emerging around containers and microservices can be a little overwhelming, to say the least. We thought we might be able to help: welcome to the 
-Container Ecosystem Project.
+The ecosystem of awesome new technologies emerging around containers and microservices can be a little overwhelming, to say the least. We thought we might be able to help: welcome to the Container Ecosystem Project.
 ⟡ doger.io (http://doger.io/)  
-This page is an attempt to document the ins and outs of containers on Linux. This is not just restricted to programmers looking to implement containers or use container like features in their
-own code but also Sysadmins and Users who want to get more of a handle on how containers work 'under the hood'. 
+This page is an attempt to document the ins and outs of containers on Linux. This is not just restricted to programmers looking to implement containers or use container like features in their own code but also Sysadmins and Users who 
+want to get more of a handle on how containers work 'under the hood'.